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Lo and Ko in have developed some attacks on the cryptosystem called an [2], claiming 
that these attacks undermine the security of an for both direct encryption and key 
generation. In this paper, we show that their arguments fail in many different ways. 
In particular, the first attack in [1] requires channel loss or length of known-plaintext 
that is exponential in the key length and is unrealistic even for moderate key lengths. 
The second attack is a Grover search attack based on 'asymptotic orthogonality' and 
was not analyzed quantitatively in [1]. We explain why it is not logically possible to 
"pull back" an argument valid only at n = oo into a limit statement, let alone one valid 
for a finite number of transmissions n. We illustrate this by a 'proof using a similar 
asymptotic orthogonality argument that coherent-state BB84 is insecure for any value of 
loss. Even if a limit statement is true, this attack is a priori irrelevant as it requires an 
indefinitely large amount of known-plaintext, resources and processing. We also explain 
why the attacks in [1] on an as a key-generation system are based on misinterpretations of 
[2]. Some misunderstandings in [1] regarding certain issues in cryptography and optical 
communications are also pointed out. Short of providing a security proof for an, we 
provide a description of relevant results in standard cryptography and in the design 
of an to put the above issues in the proper framework and to elucidate some security 
features of this new approach to quantum cryptography. 

Communicated by: to be filled by the Editorial 

1 Introduction 

In [1], Lo and Ko describe, without quantitative calculations, some attacks on the direct en- 
cryption protocol of [2], interpreted by them also as a key generation scheme. They draw the 
firm conclusion that our protocol is fundamentally insecure, that these attacks were neglected 
by us as they are "outside the original design," and that they "can, to some extent, be imple- 
mented with current technology." We contend that the strength and weakness of our scheme 
have been totally misrepresented in [1], which does not analyze the relevant cryptographic 
problems in a meaningful framework. Although we have already commented briefly on the 
attacks of pQ in [2] and 0, and some related comments are given by Hirota et al in is 
still often quoted without also referring to our partial rejoinder. Thus, we feel it appropriate 
that a specific response to [1] be made in a complete paper. In particular, we would like to 
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clear up at the same time many issues in the practical use of quantum cryptography and in 
the properties of arj that have so far not been elucidated in the literature. We do not attempt 
to give a complete security proof of arj in this paper. Such a proof is not available and is the 
subject of ongoing research. See @] for recent results. Nevertheless, it is possible to refute the 
arguments of Lo and Ko taken by themselves, and this will be the main aim of this paper. 

First of all, we note that the attacks in [1] do not contradict our claim in [2] that arj 
encryption provides exponential complexity-based security against known-plaintext attacks 
using a particular 'assisted' brute-force search. See [2] or alternatively, [4] for a more detailed 
description. Although we mention the possibility of key generation with arj, we do not 
present an explicit scheme to do so in [2]. The authors of [1] assume that the protocol of 
[2] works without any additions or modifications for key generation, which was not claimed 
by us at all. While they arrive at attacks that purport to show that arj is insecure in the 
information-theoretic sense against known-plaintext attacks — already believed by us to be 
quite possible (2] — we claim that the two attacks in [1] do not conclusively prove insecurity 
of any finite-n system. Proof is important in this quantum situation because arj falls outside 
the class of classical nonrandom ciphers for which known-plaintext attacks can be proved to 
succeed. But perhaps more significantly, the Lo-Ko attacks are unrealistic in the fundamental 
sense of having exponential complexity and requiring an exponential amount of resources. In 
Section 2.2, we bring out the important point that, in contrast to other kinds of complexity, 
exponential complexity offers realistic security as good as unconditional security. 

We shall explain fully our criticisms of [1] in the course of this paper. In this introductory 
section, we will lay out three major general defects in [1] which in our opinion are also implicit 
in various papers on theoretical quantum cryptography. We will later have occasion to indicate 
specific points where these defects arise when we reply in detail in Section 4 to the attacks in 

EH 

In the first place, vague qualitative arguments are often offered as rigorous proofs, while 
at the same time not giving precise conditions under which a result is claimed to be valid. 
In pp, there are even several claims made without any argument at all. Rigorous proofs are 
important in quantum cryptography because the main superiority it claims over standard 
cryptography is the possibility of rigorous proof of security, unconditional or otherwise. A 
more subtle point is that many arguments, including one in [1], rely on statements valid at 
n = oo which cannot be cast into limiting statements on the relevant quantities. Indeed, limit 
and continuity questions at n — oo are especially subtle in quantum mechanics owing to the 
nonseparable Hubert space, i.e., a Hilbert space with an uncountable basis, that arises when 
n = oo. One pitfall of such a leap of faith is illustrated in Section 5. 

Secondly, strong claims are made with no actual numbers or numerical ranges indicated 
for the validity of the results. Thus, results are often claimed to be valid asymptotically as the 
number of bits n in a sequence goes to infinity, without any estimate on the convergence rate. 
Such limiting results alone are of no use to an experimentalist or designer of a real system. 
As security proofs, they offer no quantitative guarantee of any kind on an actual realistic 
system where n is often not even very large. As attacks, they imply nothing about the level of 
insecurity of any finite n system without convergence-rate estimates. Thus, showing a scheme 
to be insecure simply as a limiting statement when n — > oo has no practical implication. 
(See Section 4 for a complete discussion.) A related point is with regard to the realistic 
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significance of quantities that vary exponentially with respect to some system parameter. 
Thus, consideration of attacks, as is the case in one attack in pQ, that succeed only when 
the channel-transmittance (the output-to-input power ratio) r\ ~ 2 _ l I, where \K\ is the key 
length, is seen to be practically irrelevant by plugging in typical numbers for \K\. More 
significantly, attacks that require exponential resources or processing like those in pQ are 
irrelevant in a fundamental sense, because the situation cannot be changed by technological 
advances, similar to the case of unconditional security. 

These points are important because security in cryptography is a quantitative issue. For 
example, in quantum key generation, the exact amount of Eve's uncertainty determines how 
much key is generated. To ensure that one generates a sufficiently large key, it is not sufficient 
to use qualitative arguments that are valid only at extreme limits, since they may break down 
quantitatively in realistic systems. 

Thirdly, the general approach to quantum cryptography underlying arj, called 'Keyed 
Communication in Quantum Noise' (KCQ) 3 , is not well understood. In particular, the 
various and distinct issues in connection with direct encryption and key generation with (or 
even without) a secret key, which have to be clearly delineated for a proper analysis, are 
lumped together in p^, generating considerable confusion even in the context of classical 
cryptography. Since our approach is novel, this current situation is perhaps understandable. 
While the full story of this field of research is still to be understood, some clarifications can 
be made to clear up the various confusions. 

In addition to the above, some specific details of implementation of arj are also miscon- 
strued in [1]. Along with responding to the Lo-Ko arguments, one main purpose of this paper 
is to provide the proper framework for security analysis of arj, for direct encryption as well as 
key generation. It is not the purpose of this paper to provide any detailed security analysis of 
arj, which is a huge undertaking and an on-going effort. However, we will indicate the many 
features that make an uniquely interesting and useful at various places in the paper. 

The plan of this paper is as follows: In Section 2, we provide an outline of relevant 
results and facts in symmetric-key cryptography, which are not well-known. Our statements 
on direct encryption cryptography in this paper refer only to the symmetric-key case, and 
not to public- key cryptography. In fact, public- key cryptography is not used for encryption 
of data sequences of more than a few hundred bits owing to its slow speed. We discuss 
in a subsection the current knowledge regarding security against known-plaintext attacks in 
standard cryptography and discuss the concepts of a random cipher and a nondegenerate 
cipher. Much of this subsection as well as Appendix A are our own contributions. They 
contain subtle distinctions needed to precisely state important results, and may be regarded 
as providing the basic framework in which to view known-plaintext attacks on an or any 
other randomized encryption system. In Section 3, we review our arj scheme and the different 
security issues associated with its use in direct encryption and key generation. In Section 4, the 
Lo-Ko attacks and their specific criticisms are explained and responded to, both specifically 
and generally in view of the above-mentioned defects. It will be shown that their arguments 
are deficient in many different ways. To illustrate the fallacy of the 'asymptotic orthogonality' 
argument, a 'proof that coherent-state BB84 using a classical error-correction code is insecure 
for any loss, no matter how small, is presented in Section 5. Various other misconceptions in 
[1] are listed in Section 6. A brief summary of our conclusions is given in Section 7. 
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2 Cryptography 

2.1 Direct Encryption 

We assume that the basics of symmetric-key data encryption are known to the reader (See, 
e.g., [3 El)- Thus, the n-symbol long plaintext is denoted by the random variable X n , the 
corresponding ciphertext is denoted Y n and the secret key is denoted K. In standard cryp- 
tography, one usually deals with nonrandom ciphers, namely those cryptosystems for which 
the conditional entropy 

H{Y n \KX n ) = 0. (1) 

Thus, the plaintext and key uniquely determine the ciphertext. In such a case, X n and Y n 
are usually taken to be from the same alphabet. Note that in this paper, equations involving 
n as a parameter are assumed to be valid for all n unless stated otherwise. Ciphers for which 
Eq. is relaxed so that the same plaintext may be mapped for a given key to many different 
ciphertexts, perhaps drawn from a different alphabet than X n , will be called random ciphers. 
Thus, a random cipher is defined by 

H{Y n \KX n ) ± 0. (2) 

Such ciphers are called 'privately randomized ciphers' in Rcf. [H] as the different ciphertexts 
Y n for a given X n are obtained by privately (i.e., in an unkcyed fashion known only to the 
sender Alice) randomizing on a specific Y n . We will just call such a cipher a random cipher 
(Note that 'random cipher' is used in a completely different sense by Shannon 9 ). For both 
random and nonrandom ciphers, we enforce the condition that the plaintext be recoverable 
from the ciphertext and the key, i.e., 

H{X n \KY n ) = 0. (3) 

A detailed quantitative characterization of classical and quantum random ciphers is available 
in|U. 

By standard cryptography, we shall mean that Eve and Bob both observe the same cipher- 
text random variable, i.e., Y^ = Y^ = Y n . Note that in such a standard cipher, random or 
nonrandom, the following Shannon limit [HI E] applies: 

H(X n \Y n ) < H(K). (4) 

By information-theoretic security on the data, we mean that Eve cannot pin down uniquely 
the plaintext from the ciphertext, i.e., 

H(X n \Y n )^0. (5) 

The level of such security is quantified by H(X n \Y n ). Shannon has defined perfect security 
[0] to mean that the plaintext is statistically independent of the ciphertext, i.e., 

H(X n \Y n ) =H(X n ). (6) 

We shall use near-perfect security to mean H(X n \Y n ) ~ H{X n ). Security statements on 
ciphers are naturally made with respect to particular possible attacks. We will discuss the 
usual cases of ciphertext-only attack, known-plaintext attack, and statistical attack in the 
next subsection. We now turn to key generation. 
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2.2 Key Generation 

The objective of key generation is to generate fresh keys. By a fresh key, we mean a random 
variable K 9 shared by the users from processing on X n for which 



for some n. Here K is any secret key used in the key generation protocol. In other words, 
one needs to generate additional randomness statistically independent of previous shared 
randomness such as a secret key used in the protocol. The two major approaches to key 
generation are via classical noise and BB84-type 11 quantum cryptography. With the 
advent of quantum cryptography, the term 'unconditional security' has come to be used, 
unfortunately, in many possible senses. By unconditional security, we shall mean near-perfect 
information-theoretic security against all attacks consistent with the known laws of quantum 
physics. 

Using Eq. @, it is easily seen that, in standard cryptography, X n , or any publicly an- 
nounced function thereof, cannot serve as fresh key. This is because all the uncertainty in X n 
is derived from K, however long n is, and therefore H(K 9 \KY n ) = 0. 

While key generation is impossible in standard cryptography, it becomes possible in prin- 
ciple in a situation where Y® ^ Y® . This necessary condition must be supplemented by a 
condition for advantage creation J2], e.g., 



In J5J, the key K is conceptually granted to Eve after her measurements to bound the infor- 
mation she may possibly obtain by any collective classical processing that takes advantage 
of the correlations introduced by K. We mention here that even when there is no a priori 
advantage, provided Y 7 f ^ Y®, advantage may often be created by advantage distillation, 
as e.g., through post-detection selection so that Eq.(jHJ is satisfied for the selected results. 
Keyed Communication in Quantum Noise, called KCQ in and hereafter, provides one way 
of creating advantage for fresh key generation from the performance difference between the 
optimal quantum receivers designed with and without knowledge of the secret key. Some of 
the advantages of such an approach to key generation would be indicated later, and further 
details can be found in [Hlll2|. 

Even when information-theoretic security does not obtain, so that the data or the key is in 
fact uniquely determined by the ciphertext (we shall see in Subsection 2.4 that this is the usual 
situation in standard cryptography when the plaintext has known nonuniform statistics), we 
may still speak of complexity-based security. This refers to the amount of computation or 
resources required to find the unique plaintext X n or key K corresponding to the observed 
Y n . In practice, forcing a large amount of computation on Eve can provide very effective 
security. In fact, standard ciphers owe their widespread use to the absence of known efficient 
algorithms that can find the unique key or plaintext from the ciphertext, with or without some 
known plaintext. Note that the security of a system is especially good if the complexity goes 
exponentially in \K\, resulting in a search problem that cannot be efficiently handled even 
by a quantum computer. In contrast to merely 'hard' problems such as factoring integers or 
even NP-complete problems, for which complexity is not quantified, exponential complexity is 
a guarantee of realistic security as good as unconditional security. This is because a quantity 



H(K a \KY£) ~ H(K 9 ) 



(7) 



H(X n \KY°) > H{X n \KY»). 



(8) 
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that is exponential in a system parameter can easily become so large as to be impossible 
to achieve. For example, it is a fact as certain as any physical law that one cannot have 
10 600 beamsplitters (See our response to the first attack of Lo and Ko in Section 4.) on the 
earth, or in the whole known universe for that matter — this can be seen merely from size 
considerations. Similar remarks hold for exponential computing time requirements. However, 
neither arj nor any standard cipher has been proven to require exponential resources to break. 

2.3 Classes of attacks in quantum cryptography 

In our KCQ approach, we conceptually grant a copy of the transmitted state to Eve for 
the purpose of bounding her information. Thus, there is no need of considering what kind 
of probe she uses. For further details, see 0^]. Accordingly, we will classify attacks a 
little differently from the usual case in BB84 protocols, basing our classification only on the 
quantum measurement or processing Eve may make. 

By an individual attack, we mean one where the same measurement is made in every 
qubit/qumode and the results are processed independently of one another. Obviously, the 
latter is an artificial and unrealistic constraint on an attack, but analyses under this assump- 
tion are standard for BB84. In this connection, we note that in the BB84 literature, one often 
finds individual attacks being defined only by Eve's qubit-by-qubit probes and measurements, 
but with the actual analysis of such attacks being carried out with the further assumption that 
no classical collective processing is used, so that Eve has independent, identically distributed 
(iid) random variables on her bit estimates. This assumption renders the results rather mean- 
ingless, as Eve can easily jointly process the quantum measurement results to take advantage 
of the considerable side information available to her from announcements on the classical 
public channel. It is a subtle task to properly include such side information in the security 
proofs of BB84-type protocols, one that we will elaborate upon in future papers. However, it 
is this definition of individual attack that has been used for our information-theoretic security 
claims in 0. 

By a collective attack, we mean one where the same measurement is made in every 
qubit/qumode but where joint classical processing of the results is allowed. Conceptually, 
one may also consider the most general attacks on classical systems to be in this class. We 
will refer to a particular collective attack on arj using heterodyne or phase measurement on 
each qumode later in this paper. Note also that encryption of a known plaintext with all pos- 
sible keys followed by comparison of the result to the observed mode-by-mode measurement 
result (i.e. a brute-force search) is a collective attack, since the correlations between the 
ciphertext symbols introduced during encryption are being used. Note that our use of the 
term "collective attack" is different from the BB84 case, due to the fact that there is no need 
to account for probe setting in our KCQ approach. Finally, for us, a joint attack refers to one 
where a joint quantum measurement on the entire sequence of qubits/qumodes is allowed. 
This is the most general attack in the present circumstance, and must be allowed in any claim 
of unconditional security. 

2-4 Security against known-plaintext attacks and statistical attacks 

In this subsection, we describe some results in classical cryptography that are not readily 
available in the literature. For a standard cipher, the conditional entropy H(X n \Y n ) de- 
scribes the level of information-theoretic security of the data X n , and H(K\Y n ) describes 
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the information-theoretic security of the key. The attacks considered in cryptography are 
ciphertext-only attacks, and known-plaintext or chosen-plaintext attacks. There is in the 
literature an ambiguity in the term 'ciphertext-only attack' regarding whether the a priori 
probability distribution p{X n ) of the data is considered known to the attacker or is com- 
pletely random to her. To avoid confusion, we will use the term ciphertext-only attack to 
refer to the case where p(X n ) is completely random to Eve, statistical attack to refer to the 
case when some information on X n in the form of a nonuniform p(X n ) is available to Eve, 
known-plaintext attack to refer to the case when some specific X n is known to Eve, and 
chosen-plaintext attack to refer to the case when some specific X n is chosen by Eve. Gener- 
ally, our results referring to known-plaintext attacks are valid in their qualitative conclusions 
also for chosen-plaintext attacks. (Note that we are restricting ourselves to private-key cryp- 
tography - This is not generally true in public-key cryptography.) Therefore, our use of 
the term 'known-plaintext attack' may be taken to include chosen-plaintext attacks also, for 
symmetric-key direct encryption. 

In standard cryptography, one typically does not worry about ciphertext-only attack on 
nonrandom ciphers, for which Eq. Q is satisfied with equality for large n for the designed 
key length \K \ = H(K) under some 'nondegeneracy' condition [T^J. In such situations, it is 
also the case that H(K\Y n ) = H(K) so that no attack on the key is possible However, 
under statistical and known-plaintext attacks, this is no longer the case and Eve can launch an 
attack on the key and use her resulting information on the key to get at future data. Indeed, 
it is such attacks that are the focus of concern in standard ciphers such as the Advanced 
Encryption Standard (AES). For statistical attacks, Shannon 9 characterized the security 
by the unicity distance hq (for statistical attacks), which is defined to be the input data length 
at which H{K\Y no ) = 0. For a nonrandom cipher defined by 0J, he derived an estimate on no 
that is independent of the cipher in terms of the data entropy. This estimate is, unfortunately, 
not a rigorous bound. Indeed, one of the inequalities in the chain goes in the wrong direction 
in the derivation, although it works well empirically for English where no ~ 25 characters. 
Generally, it is easy to see that a finite unicity distance exists only if, for some n, there is 
no redundant key use in the cryptosystem, i.e., no plaintext sequence X n is mapped to the 
same ciphertext Y n by more than one possible key value. With redundant key use, one cannot 
pin down the key but it seems one also could not enhance the system security either, and so 
is merely wasteful. The exact possibilities will be analyzed elsewhere. A nonrandom cipher 
is called nondegenerate in this paper if it has no redundant key use either at some finite n 
or for n — > oo. A random cipher will be called nondegenerate when each of its nonrandom 
reductions is nondegenerate (See @j). Under the condition 



which is similar but not identical to the definition of a 'nondegenerate' cipher given in 
one may show that, when holds, one has 



lim H(Y n \X n ) = H(K), 



(9) 
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lim H{K\X n Y n ) = 0. 



(10) 



In general, for a nonrandom cipher, we define a nondegeneracy distance rid to be the smallest 
n such that 

H(Y n \X n ) = H(K) (11) 
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holds, with rid = oo if J^J holds and there is no finite n satisfying (flip . Thus, a nonrandom 
cipher is nondegenerate in our sense if it has a nondegeneracy distance, finite or infinite. In 
general, of course, the cipher may be degenerate, i.e., it has no nondegeneracy distance. We 
have the result given by Proposition A of Appendix A that, under known-plaintext attack, a 
nonrandom nondegenerate cipher is broken at data length n — rid- This is also the minimum 
length of data needed to break the cipher for any possible known-plaintext X n . Many ciphers 
including the one-time pad and LFSRs (linear feedback shift registers 0) have finite nd- For 
chosen-plaintext attacks, the above definitions and results apply when the random variable 
X n is replaced by a specific X n = x n . 

The above result has not been given in the literature, perhaps because H(K\X n Y n ) has 
not been used previously to characterize known-plaintext attacks. But it is assumed to be true 
in cryptography practice that K would be pinned down for sufficiently long n in a nonrandom 
'nondegenerate' cipher. However, there is no analogous result on random ciphers, since under 
randomization Eq. and usually also, does not hold for any n. 

The following result is similar to one in ^3 ^] . The homophonic substitution algorithms 
provided in these references work also for finite sequences, and may result in data compression 
rather than data expansion depending on the plaintext. 

Proposition B 

In a statistical attack on nonuniform iid X n , homophonic substitution randomization |13II14| 
on a nonrandom nondegenerate cipher can be used to convert the attack into a ciphertext-only 
one, thus completely protecting the key. 

This reduction does not work for known-plaintext attacks. The problem of attacking a 
symmetric-key random cipher has received limited attention because they are not used in 
practice due to the associated reduction in effective bandwidth or data rate, and also due to 
the uncertainty on the actual input statistics needed for homophonic substitution random- 
ization. Thus, the quantitative security of random ciphers against known-plaintext attacks 
is not known theoretically or empirically, although in principle random ciphers could defeat 
statistical attacks according to Proposition B. All that is clear is that random ciphers are 
harder to break than the corresponding nonrandom ones, because a given pair (X n , Y n ) may 
arise from more possible keys due to the randomization. See ref. [4] for a detailed elucidation. 

If a random cipher is nondegenerate, we say it has information-theoretic security against 
known-plaintext attacks when 

MH(K\X n Y n ) > 0, (12) 

n 

i.e., if H(K\X n Y n ) cannot be made arbitrarily small whatever n is. The actual level of the 
information-theoretic security is quantified by the left side of (|12[) . As in the nonrandom 
case, only for a nondegenerate cipher, i.e., one with no redundant key use, is it meaningful 
to measure key security with entropy. It is possible that some random ciphers possess such 
information-theoretic security. See Appendix A. 

We define the unicity distance n\ for known-plaintext attacks, for both nondegenerate 
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random and nonrandom ciphers, as the smallest n, if it exists, for which 



H{K\X n Y n ) = 0. 



(13) 



The unicity distance n\ is defined to be infinity if (|f 3J1 holds for n — > oo. Any cipher with 
information-theoretic security against known- plaintext attacks has no unicity distance ri\ . For 
a nondegenerate nonrandom cipher, we have shown in Appendix A that n\ = n^. We shall 
see in the next section that ar\ can be considered a random cipher in the above sense under 
collective attacks, but with no reduction in effective data rate. (Recall that collective attacks 
are the most general in classical ciphers.) Thus, the statement in that "known-plaintext 
attacks are rather standard and were successfully launched against both the Germans and 
the Japanese in World War II" is an oversimplification, since the ciphers referred to in it were 
nonrandom. 

3 arj Direct Encryption and Key Generation 

Consider the original experimental scheme arj (called Y-00 in Japan) as described in [2] and 
depicted in Fig. 1. Alice encodes each data bit into a coherent state in a qumode, i.e., an 
infinite-dimensional Hilbert space (the terminology is analogous to the use of qubit for a two- 
dimensional Hilbert space), of the form (we use a single qumode representation rather than 
a two-qumode one for illustration) 



where a is real, 6 e = 2irl/M, and I <E {0, ...,M - I}. The M states are divided into Af/2 
basis pairs of antipodal signals {| ± ai}} with — ag, — ae+M/2- A seed key K of bit length \K\ 
is used to drive a conventional encryption mechanism whose output is a much longer running 
key K 1 that is used to determine, for each qumode carrying the bit b{= 0,1}, which pair 
{| ± oti)} is to be used. The bit b could either be part of the plaintext in a direct encryption 
system (as is the case in [2]) or it could be a raw key bit from a random number generator. 
Bob utilizes a quantum receiver to decide on b knowing which particular pair {| ±ai)} is to be 
discriminated. On the other hand, Eve needs to pick a quantum measurement for her attack 
in the absence of the basis knowledge provided by the seed or running key. The difference in 
their resulting receiver performances is a quantum effect that constitutes the ground, as we 
shall see in subsequent subsections, both for making arj a random cipher for direct encryption, 
and for possible advantage creation vis-a-vis key generation. To avoid confusion, we shall use 
the term 'my' to refer only to the direct encryption system following our practice in [2]. 
When we want to use the same system as part of a key generation protocol, we shall refer 
to it as 'my-Key Generation' or 'm/-KG'. We discuss arj and ary-KG in turn in the next two 
subsections. 

Note that since the quantum-measurement noise is irreducible, such advantage creation 
may result in an unconditionally secure key-generation protocol. In contrast, in a classical 
situation including noise, the simultaneous measurement of the amplitude and phase of the 
signal, as realized by heterodyning, provides the general optimal measurement for both Bob 
and Eve; thus preventing any advantage creation under our approach that grants Eve a copy 
of the state for the purpose of bounding her information. We may remark that since a 
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Fig. 1. Left:Overall schematic of the ar) scheme. Right: Depiction of M/2 bases with interleaved 
logical state mappings. 



discrete quantum measurement is employed by the users, an and ar)-KG are not continuous- 
variable quantum cryptosystems. In particular, their security is not directly derived from any 
uncertainty relation for observables with either continuous or discrete spectrum. 

3.1 ar/ Direct Encryption 

Let X n , Y®, Y„ be the classical random vectors describing respectively the data, Eve's obser- 
vation, and Bob's observation. Eve may make any quantum measurement on her copy of the 
quantum signal to obtain Y® in her attack. One then considers the error in her estimation 
of X n . As an example, consider the attack where Eve makes a heterodyne measurement or a 
phase measurement on each qumode j3J|S]- Under such an attack, arj becomes essentially a 
classical random cipher (in the sense of Section 2), because it satisfies 

H(X n \Y*,K)~Q (15) 

along with Eq. J5J for the experimental parameters of Under Eq. (fT5|l . Eq. (@J 

also obtains and the data security is no better than \K\ as in all standard symmetric key 
ciphers. Still, heterodyning by Eve does not reduce arj to a classical nonrandom stream 
cipher, as claimed in |18j . Rather, it becomes a random cipher as already pointed out in j^J. 
For each transmitted qumode, the plaintext alphabet is {0, 1} and the ciphertext alphabet is 
any point on the circle of Fig. 1 when a phase measurement is made by Eve, and is any point 
in the plane when a heterodyne measurement is made. Note that the ciphertext alphabet 
depends on what quantum measurement is made by the attacker. However, it can at most be 
reduced to an M-ary one by collapsing the continuous outcomes into M disjoint sets. This 
is so because such an alphabet is the smallest possible ciphertext alphabet such that it is 
possible to decrypt for every possible value of ciphertext and key. We have elaborated on 
this point in Section 5 of 0]. Hence, an is a random cipher against attacks on the key, and 
cannot be reduced to an additive stream cipher, which is nonrandom. When it is forced to 
become nonrandom, even just for Bob, it becomes noisy. See our reply [S] to the attack in 
[Tc<| for more details. Also see their subsequent response ^15] based on a confusion regarding 
the interpretation of Eq. I|15|l , which is valid for our an system of [2] ■ Further elaboration is 
available in [3]. 
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Observe that the randomization in ar\ can be accomplished classically in principle, but not 
in current practice. This is because true random numbers can only be generated physically, 
not by an algorithm, and the practical rate for such generation is many orders of magnitude 
below the ~ Gbps rate in our experiments where the coherent-state quantum noise does the 
randomization automatically. Furthermore, our physical "analog" scheme does not sacrifice 
bandwidth or data rate compared to other known randomization techniques. This is because 
Bob resolves only two, not M possibilities. Another important point with regard to physical 
cryptosystems like ar], whether random or nonrandom, is that they require the attacker to 
make analog or at least M-ary observations, i.e., to attack the system at the physical level, 
even though the data transmitted is binary. In particular, as indicated above, it is impossible 
to launch a known-plaintext attack on the key using just the binary output, available for 
instance at a computer terminal. 

While the original oa] scheme of Fig. 1 is a random cipher under collective attacks made 
without knowledge of the key K, or more generally, under qumode-by-qumode measurements 
that can vary from qumode to qumode, it is still a nonrandom cipher in the sense of quantum 
states. See also ref. 0]. The technique called Deliberate Signal Randomization (DSR) 
described in 3 would make it a random cipher even with respect to quantum states. This 
amounts to randomizing (privately in the sense of [Hj) the state transmitted so as to cover 
a half-circle around the basis chosen by the running key. The security of such ciphers is an 
open area of research. While we will not delve into the details of DSR in this paper, it may 
be mentioned that at the mesoscopic signal levels used in El El U7\ > DSR with an error- 
correcting code on top may be expected to induce many errors for Eve while Bob remains 
essentially error-free. The reason is similar to that for Eq. (4) in Ref. 0, with advantage 
for Bob due to the optimal receiver performance difference described in the next subsection 
and in [3]. Thus, information-theoretic security is expected |3] for the key, and at a level far 
exceeding the Shannon limit for the data, when DSR is employed on arj. Instead of DSR, a 
keyed 'mapper' that varies the mapping from the running key to the basis from qumode to 
qumode can also be employed, including perhaps a polarity (0 or 1) bit to enhance security. 
Even with the original an, it can be expected that the randomization or coherent-state noise 
would increase the unicity distance n\ compared to the ENC box alone used as a cipher. 
Further details can be found in 

For the direct-encryption experiments in Refs. 0E1E1EJ, we have claimed "uncondi- 
tional" security only against ciphertext-only individual attacks. We have claimed only expo- 
nential complexity-based security against assisted brute-force search (See 4 ) known-plaintext 
attacks, which is more than the security provided just by the ENC box of Fig.l 0- How- 
ever, information-theoretic security, even at the near-perfect level for both the key and the 
data, is possible with additional techniques or CPPM-type schemes described in J3J. Detailed 
treatment will be given in the future. But see also ref. 0j. 

We summarize the main known advantages of an compared to previous ciphers: 

(1) It has more assisted brute- force search complexity for attacks on the key compared to the 
case when the quantum noise is turned off. For an explicit claim, see 0]. 

(2) It may, especially when supplemented with further techniques, have information-theoretic 
security against known-plaintext attacks that is not possible with nonrandom ciphers. 
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(3) With added Deliberate Signal Randomization (DSR), it is expected to have information- 
theoretic security on the data far exceeding the Shannon limit. 

(4) It has high-speed private true randomization (from quantum noise that even Alice does 
not know), which is not possible otherwise with current or foreseeable technology. 

(5) It suffers no reduction in data rate compared to other known random ciphers. 

(6) The key cannot be successfully attacked from a computer terminal with bit outputs, as 
is possible with standard ciphers. 

3.2 on) Key Generation 

One needs to clearly distinguish the use of such a scheme for key generation versus data 
encryption. It may first appear that if the system is secure for data encryption, it would also 
be secure for key generation if the transmitted data are subsequently used as new key. It 
seems to be the view taken in 0^1120] that we have made such a claim, which we have not. 
The situation may be delineated as follows. Following the notations of the last subsection, 
Eve may make any quantum measurement on her copy of the quantum signal to obtain YJ~ 
in her attack. Such a measurement is made without the knowledge of K. It is then used 
together with the value of K to estimate the data X n . Although Eve is not actually given 
K after her measurements, we give it to her conceptually for the purpose of bounding her 
information. The conditions for unconditional security are complicated, and to satisfy them 
one needs to extend ai]-KG in different possible ways, such as DSR and CPPM described in 
[Hj- However, against attacks with a fixed qumode measurement, Eq. JHJ is sufficient and can 
be readily seen to hold as follows. 

With S = \ao\ 2 being the average photon number in the states (11), the bit-error rate for 
Bob with the optimum quantum receiver |22j is 

A = V 4S . (16) 

The bit-error rate for heterodyning, considered as a possible attack, is the well-known Gaus- 
sian result 

n h0t ~ \e- S , (17) 
and that for the optimum-phase measurement tailored to the states in <|14|) is 

~ \e~ 2S (18) 

over a wide range of S. The difference between Eq. (16) and Eq. (17-18) allows key generation 
at any value of S if n is long enough. With a mesoscopic signal level S ~ 7 photons, 
one has P b ~ KT 12 , P b hct - KT 3 , and P b ph - KT 6 . If the data arrives at a rate of 1 
Gbps, Bob is likely to have 10 9 error-free bits in 1 second, while Eve would have at least 
(recall that she actually does not have the key even after her measurements) ~ 10 6 or ~ 10 3 
errors in her 10 9 bits with heterodyne or the optimum-phase measurement (which has no 
known experimental realization). With the usual privacy amplification |2.'ij . the users can 
then generate ~ 10 6 or ~ 10 3 bits in a 1 second interval by eliminating Eve's information. 
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While these parameter values are not particularly remarkable due to the loose bound and have 
not been experimentally demonstrated, they illustrate the new KCQ principle of quantum 
key generation introduced in that creates advantage via the difference between optimal 
quantum receiver performance with versus without knowledge of a secret key, which is more 
powerful than the previous BB84 principle since it does not rely on intrusion-level estimation 
to create advantage. Also note that due to the 3 dB advantage limitation of binary signaling 
(compare Eq. 1(18(1 and Ea. 1 (16(1 ). one may use the CPPM scheme 3 and its extensions instead 
of a^-KG for key generation over long distances. Within the confines of binary signaling, the 
throughput, though not the advantage, can be greatly increased even for large S by moving 
the state close to the decision boundary. Detailed treatments will be given in the future. 

The heterodyne attack on arj discussed above can of course be launched also on an ar\ 
Key Generation system. For parameter values, i.e., values of S, M and n, such that Eq. 
((15(1 holds, key generation with information-theoretic security is impossible in principle, since 
the Shannon limit (@J) holds. This point is missed in all the criticisms of an Key Generation 
P3^H2]], but was explicitly stated in the first version of Ref. f3j. It is at least implicit in Ref. 
[2] where we said the experiment has to be modified for key generation, and also mentioned 
the KCQ Key Generation Principle of optimal quantum receiver performance difference. One 
simple way to break the Shannon limit and protect the key at the same time, is to 
employ DSR. As noted in Section 3.1, its use in an direct encryption is expected to provide 
information-theoretic security for the key and at a level far exceeding the limit J3J for the 
data. We mention these possible approaches to make it clear that we were aware of the 
limitations of an and that we need additional techniques to obtain unconditinal security. 

4 The Lo-Ko Attacks 
4-1 Review of Attacks in 

Ref. [1] first describes a known-plaintext attack on the original an of [2] that can be launched 
when the channel loss allows Eve to have 2' K > copies of the states Bob would receive. With 2' K ' 
copies, it is claimed that Eve can use each possible seed key to implement a decryption system 
similar to Bob's, and by comparing the outputs to the known-plaintext of some unspecified 
length s, can determine the key. Eve thus needs only beamsplitters and detectors similar to 
Bob's to undermine the system. We shall call this attack Attack I in the sequel. A variant of 
this attack is also described, in which Eve is assumed to know r s— bit sequences of plaintext, 
where r(l — n) > 2> K >n. In other words, the channel transmittance n is such that Eve has 
in her possession, including repeated copies, 2l K ciphertext-states, each corresponding to 
a known s— bit sequence. What s needs to be is again unspecified. It is claimed that an 
exhaustive trial of keys would again pin down the key in this case. These attacks are also 
claimed to work, without any supporting argument, when the plaintext is not exactly known, 
but is drawn from a language, e.g., English. 

It is further argued that even in just 3 dB loss (which is not required under our approach 
of granting Eve a copy of the quantum signal), a Grover quantum search (that will be called 
Attack II) would succeed in finding K under a known-plaintext attack when n = 00, because 
then there is only a single possible key value that would give rise to the overall ciphertext-state 
from the known data X n . This latter claim is in turn justified by the "asymptotic orthogo- 
nality" of the ciphertext-states corresponding to different key values, although exactly how 
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this asymptotic orthogonality occurs for different choices of the ENC box in Fig.l, includ- 
ing the LFSR used, is not described. The purpose of this argument is presumably to claim 
that a limiting statement such as 1)10(1 must be true, thus undermining the system under a 
known-plaintext attack for large enough n. When the plaintext X n is not exactly known but 
is not completely random, i.e., under a statistical attack, such a result is also claimed to hold 
without any argument. Also, no estimate of the convergence rate in n is provided for either 
asymptotic orthogonality or for Ea. . 

Rcf. [1] then assumes that at] Key Generation, in which X n is taken to be completely 
random as in all key-generation protocols (so that there is no possibility of a known-plaintext 
or statistical attack of any kind, at least before the generated key is used in another cipher), 
proceeds by utilizing the output bits Y n = X n directly as key bits to XOR or "one-time pad" 
on new data. With known-plaintext attack on these new data, the X n would be known and the 
previously described known-plaintext attacks I and II can be applied on the ciphertext-states 
to find K. 

4-2 Response to Attacks 

We will first respond to these attacks for direct encryption. The first gap in Attack I is 
that the length of known-plaintext n\ needed to uniquely fix the key is not specified. From 
Subsection 2.3, we see that Eve needs length equal to the nondegeneracy distance rid flj of 
the ENC box of Fig.l to fix the key from exact input-output pairs of the ENC box alone. 
Actually, s — ni needs to be larger than this nondegeneracy distance rid due to the quantum 
noise randomization. Note also that the ENC box could be chosen to be degenerate, so that 
it does not even have a nondegeneracy distance and the key could never be pinned down. 
However, since the LFSR used in .2] is actually nondegenerate, we will not dwell on this 
point. As it stands, the attack is seriously incomplete without specifying what s — n\ is or 
at least providing estimates of it. This corresponds to defect One in our Introduction. 

Furthermore, Attack I requires the product r(l — rj) to be bigger than r]2' K ', which implies 
either r or 1/rj is at least exponential in \K\/2. Thus, Attack I can be thwarted by increasing 
the key length linearly, which is relatively easy. As an example, for the key length \K\ ~ 2 x 10 3 
used in [2], one needs a loss of 6 x 10 3 dB for r = 1, which corresponds to propagation over 
~ 3 x 10 4 km in the best available fiber, which has a loss of 0.2 dB/km. No conceivable 
one-stage communication line can be expected to operate over such a long distance. Any 
future improvements in the loss figure of fibers can only make Eve's task harder because the 
number of copies she can tap decreases along with the loss. 

If the exponential loss requirement is replaced by that of an exponential length of data, it is 
equally fanciful. For the key length \K\ ~ 2 x 10 3 , r = 2^ K \ corresponds to ~ 10 600 bits of data. 
How could Eve input ~ 10 600 bits of data in a chosen-plaintext attack, or know ~ 10 600 bits 
in a known-plaintext attack? In any case, even if such large loss obtains, the attacker still has 
the problem of requiring an exponential number of devices (beamsplitters and detectors in this 
case) and doing an exponential amount of processing. Apart from size and time limitations 
mentioned in Section 2, it seems not possible to ever get ~ 10 600 devices corresponding to the 
above key length, considering that the total number of elementary particles in the universe is 
less than 10 100 . This corresponds to defect Two in the Introduction. We should also mention 
that arj was claimed in [2] to be proved secure against known-plaintext attacks only in the 
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brute-force search sense and not information-theoretically, and so the above attacks do not 
contradict any claim in even if they were successful. 

Before proceeding to Attack II, we first distinguish the following four distinct kinds of 
statements that can be made on a quantity e(n), basing roughly on the value of n being 
considered: 

(i) The value of e(n) at a finite n. This is of interest for a realistic implementation - 
typically n ~ 10 2 — 10 4 is the limit for joint processing of a single block. 

(ii) The case expressed by a limit statement on some quantity of interest e(n) — > with 
quantitative convergence rate estimate < e(n) < f(n) for n > N and some large 
enough N and a known function f(n) — > 0. 

(hi) The case of the limit statement limn^oo e(n) = without convergence rate estimate. 
Thus, it is not known how large n needs to be for e(n) to be below a certain given level 

(iv) The case of the value e(oo) at oo. Note that the limiting value of e(n) in Case (hi) above 
may be different from e(oo) due to failure of continuity at n = oo. 

Observe that the statements in Cases (i)-(iii) are, in that order, progressively weaker 
statements on the quantity of interest. Case (iv), however, is independent of the previous 
cases, and can be asserted by evaluating e(oo) by a route that does not even require e(n) at 
finite n. In turn, knowing e(oo) does not allow one to make even a limit statement of the form 
of Case (hi) unless one can prove continuity at n — oo. We have classified the above cases in 
order to delineate exactly what Lo and Ko can claim for their Attack II. 

Let us now consider Attack II. The first obvious problem with the argument is that Eve 
does not need to attack the system if she already knows the entire n — ► oo plaintext that will 
be transmitted using the particular seed key. Lo and Ko give no analysis of their attack for 
the relevant case in which the plaintext is partially known, i.e., for the case of a statistical 
attack (this includes the case of Eve knowing a fraction of the plaintext exactly) even in the 
n —> oo situation. A little thought will show that the oracle required in Grover search would 
have an implementation complexity that increases indefinitely with n, making it prohibitive 
to build in the n — ► oo limit. In other words, the search complexity is not simply ~ 2'- R "' //2 
but rather increases with n as well. When there is more than one plaintext possible, Lo 
and Ko presumably intend to apply Grover search for each plaintext in turn. The number 
of such repeated applications would obviously grow indefinitely with n if Eve knows only a 
fraction of plaintext. In case they intend that a single Grover search be applied to cover all 
possible plaintexts, they need to produce a specific oracle that would work for this case and 
analyze its performance. The issue is more critical in actual practice, because it typically 
does not happen that Eve knows a large length of plaintext, let alone one that is arbitrarily 
long in the unquantified sense of (hi) above, which is what their attack entails. Furthermore, 
even if its n dependence is ignored, the ~ 2* K / 2 complexity of the Graver's search makes it 
practically impossible to launch for \K\ ~2x 10 3 . Similar to Attack I, Attack II retains all 
the limitations of being exponential in the key length. This point is an instance of the second 
defect mentioned in Section 1. 
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Our second point regarding Attack II relates to the first general defect described in Section 
1, namely lack of rigor. We claim that the "asymptotic orthogonality" in pQ is vague in that 
it is not specified which sense among (ii) - (iv) is meant. Moreover, even assuming that a 
Case (ii) statement holds, it cannot by itself be translated into even a limit statement of the 
form of Eq. To see this, let us assume that the pairwise inner product between any 

of the 2* K \ ciphertext states {iV'fc)} corresponding to a known plaintext encrypted with the 
different keys is upper bounded by a function e(n). Let us take 



to mean "asymptotic orthogonality" in the sense of case (iii) or even (ii) above. For each 
n, we can in principle calculate the optimal probability of error Pe(ti) in discriminating the 
2'^"' states, which, rather than the inner product, is the relevant quantity of operational 
significance. It is clear that Pe (oo) = in the sense (iv) above since e(oo) = 0. However, 
to make the limit statement Eq. 1)10(1 . one needs to further show from (|19[l . the equivalent 
statement to 1(1 Of) that 



perhaps from the claim that the probability of error is a continuous function of e(n). Since 
the underlying Hilbert space is expanding with n and becoming nonseparable at n — oo, it 
is not obvious whether continuity would hold, especially at n = oo. In order to convince the 
reader that the above considerations indeed have real implications, we will in Section 5 use an 
asymptotic orthogonality argument to 'prove' coherent-state BB84 insecure for any non-zero 
loss. 

Note that does not actually prove "asymptotic orthogonality" in any of the senses 
(ii)-(iv). As discussed above in connection with Attack I, there are conditions required on the 
ENC box of Fig.l for it to be true just in the sense (iv). On the other hand, we believe that 
((19(1 can be proved along with ((20(1 under proper conditions on the ENC box. But one needs 
precise arguments to make clear the conditions of validity, which pp does not provide. 

Thirdly, even if their claim is correct as a limit statement of the form of Eq. I(1U|) . that 
result has no implication in practice. Indeed, an an system with a LFSR for the ENC box in 
Fig.l has a periodic running key output K' of period n p = 2'^'/ log 2 Af. It is never meant 
to be used beyond such n p , similar to the case of standard ciphers, even in the limit of no 
channel loss. A limiting claim such as Eq. ((10() . which falls under Case (iii) above, does not 
say anything about the insecurity of the actual system. These last two points are instances 
of the first and second defects described in Section 1, namely lack of rigor and insufficient 
attention to quantitative detail. 

Finally, we stress that we were concerned in [2] only with exponential-complexity based 
security in direct encryption systems, which is as good as unconditional security for real 
systems. Also, we may mention that various added randomization techniques are introduced 
in [3] which would modify an to become a random cipher even in the sense of quantum 
state. The security of such ciphers against known-plaintext attacks is an entirely open area 
of research. 

We now respond to the Lo-Ko attacks on an used as a key-generation system. First of all, 
we only mentioned in 2 the possibility in principle of using the system to do key generation 



lim e(n) = 



(19) 



lim P E (n) = 0, 



(20) 
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without giving a complete protocol. We did not imply that the system for the parameters 
in [2] and without any modifications would function for that purpose. Indeed, in light of the 
discussion in Sections 2 and 3, the Shannon limit J2J already applies to the original an of [2] 
for all practical n. Thus, there is at most \K |-bits uncertainty in X n to Eve, however long 
n is, leaving no possibility of key generation. Thus, Lo and Ko overlook the fact that fresh 
key cannot be generated in principle in their use of arj for key generation. Furthermore, even 
if the advantage creation condition is ignored, pQ does not include the usual step of privacy 
amplification that the users can apply to the output to make it a shorter uniformly-random 
key. This omission alone already invalidates their argument. These two points correspond to 
the defect Three of Section 1. 

Since the attacks on ar/-KG are reduced in 1 to attacks on an direct encryption, they 
also suffer the same problems as the attacks on direct encryption above. Indeed, one may 
conclude a priori that the attacks in P^, even if successful, do not contradict the claims in 
PI , and are indeed "outside the original design" because they are inapplicable in any realistic 
situation. 

5 Attack on coherent-state BB84 

It is claimed in pQ that "our attacks do not apply to BB84 or other standard QKD schemes 
where the quantum signals are strictly microscopic in the sense that there is (on average) at 
most one copy of the signal available." We will show that this is false by using an asymptotic 
orthogonality argument exactly parallel to that in pQ which will 'prove' that coherent-state 
BB84 using a classical error-correction code is insecure for any nonzero value of loss. Although 
we do not believe this latter statement to be true without qualification, we present this 
argument as an example to underscore the importance of rigorous reasoning before making 
the claim that an Key Generation is insecure under Attack II in pQ. 

We denote by b the n-bit string that Alice intends to transmit to Bob in order to share a 
key. We denote by \if>b) the following product coherent state used to transmit b: 

NM = §)!<>• (2i) 
«=i 

Here the superscript (3i defines which of the two BB84 bases is used for the ith transmission 
and the subscript bi is the ith bit of b. The exact form of the states \a^) depends on the 
implementation. All that is relevant for our attack is to note the obvious fact that, for each 
(3, the states \a^) and |af) are distinct, and so | {ckq | ckx ) I < ^- The attack works as follows: 
When the channel transmittance is rj, Eve simply splits a fraction 1 — n of the energy using 
a beamsplitter and thus has in her possession the state 

i—n 

|^) = (8)lv / l^<)- (22) 

i=l 

Eve holds this state in her quantum memory, while transmitting the remaining energy to Bob 
through a lossless line. Bob is thus totally oblivious of Eve's presence. She then listens to 
the public announcements of Alice and Bob, and discards along with Alice and Bob the bit 
positions where Bob observes a count in both or no detectors. She also rotates all the compo- 
nent states to the same basis according to the announcement of bases by Alice. Accordingly, 
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we may suppress the superscript Pi. Next, according to the protocol, Alice and Bob estimate 
the error rate on a subset of their choice. Let us now assume that n refers to the remaining 
subset. If the fraction of errors in the test set is under the error threshold S, Alice and Bob 
select an (n, k, d) code with d > 2Sn to correct the errors on the remaining bits. After the 
announcement of the syndrome of b with respect to the chosen code, the number of possible 
6's goes to M = 2 k rather than the original number of possibilities 2". Eve listening on the 
public channel can determine which possibilities remain, and can launch a powerful attack, 
as seen in the following. 

The inner product of Eve's states corresponding to two admissible bit sequences b and b' 

is 

n 

KV-f 1^)1 = I] \(V^V^\V^V^)\ = eMM ' } < e " < t 2Sn - ( 23 ) 

i=l 

Here Sn(b, b') is the Hamming distance between the strings b and b' , which is restricted to be 
at least the distance of the code d and 

e=\(y/l- V ao\y/l-Tia 1 )\ < 1. (24) 

Since e is strictly less than 1, Eq. 12: il) shows that the M possibilities become orthogonal in 
the senses (ii)-(iv) of the previous section. One thus has the result that the probability of 
error on b, Pe(oo) = since Eve can distinguish orthogonal states without error. If one pulls 
this case (iv) statement to a case (iii) limiting statement of Eve's error probability Pe(ti) on 
b, parallel to the argument in 1 which takes H19|) to 12U|) . it would imply that the system 
would become insecure for large n and any nonzero value of loss! 

We stress that the above result cannot be correct for all values of the signal energy, channel 
loss and other parameters such as the code rate k/n, no matter how large n is. One reason for 
doubting its universal correctness is that it would contradict the known classical information 
transmission capacity of a lossy bosonic channel |24|. However, the line of argument is exactly 
in parallel to that of pp. We give it here to demonstrate the consequences of jumping to a 
limiting statement from an n — oo statement on the error probability. However, we do believe 
that the above attack has not been accounted for in the security proofs in the literature. 
Indeed, we agree with [1] that it is "interesting to study the subtle loopholes in existing 
schemes," and that one should "never under- estimate the effort and ingenuity that your 
adversaries are willing to spend on breaking your codes." 

6 Other comments on Lo-Ko U 

In this section we comment on some other claims in [1]. 

(i) The authors of seem to believe that optical amplifiers can be and are used to com- 
pensate for an arbitrary amount of loss provided mesoscopic signal levels are used. The 
supposed existence of such high-loss links in optical systems is perhaps the reason that 
they state that their "(beamsplitter) attack can to some extent, be implemented with 
current technology." and that "our attacks severely limit the extent of such optical 
amplification." In reality, however, optical amplifiers are noisy (i.e., degrade the proba- 
bility of error for all measurements except heterodyne |25p irrespective of signal strength. 
Thus, in practice, in order to retain an acceptable signal-to-noise ratio at the output, 
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optical amplifiers are placed at periodic intervals in a long-distance fiber link, with the 
first optical amplifier being inserted much before the channel transmittance decays to 
~ 2~\ K \ for \K\ in the range of \K\ ~ 1000. So, Lo and Ko need to specify exactly how 
they would proceed to attack such an optically-amplified line for which each section has 

n » 2-l K L 

Optical-amplifier noise actually provides limits of operation for both an and arj-KG. For 
arj-KG, the optical amplifier noise would limit the attainable advantage needed for key 
generation. For an direct encryption, amplifier noise is a limit when there is too much 
of it, but it is a help against Eve when present in a moderate amount. See for example 
|17j . The full story of loss and amplifiers in an systems depends on implementation and 
additional security techniques to be deployed on top of basic an, and is yet to be told. 

(ii) We do not believe that their attacks can be implemented to any useful extent with 
current or future technology, as they require exponential resources and processing. 

(iii) It was pointed out in [1] that "mesoscopic states for quantum key distribution was first 
proposed by Bennett and Wiesner 120] in 1996." The principle underlying that scheme 
is the usual BB84 type disturbance/information tradeoff, which is radically different 
from our KCQ principle. Indeed, the mesoscopic nature of the signal in that scheme 
is a hindrance and not a help on the operation of the cryptosystem due to sensitivity 
problems. This is because it is not the absolute strength of the signals that matters, 
but rather whether they are distinguishable. The large signals in 26^ still have only 
one photon average difference between them. As the large signal gets attenuated in 
a lossy line, the one-photon difference also gets attenuated correspondingly. Thus, as 
compared to the small signal case, these large signals are distinguishable at the receiver 
with the same absolute difficulty, but with a bigger relative difficulty since the signal 
level difference is now a much smaller percentage of the absolute level. 

7 Conclusions 

There are two main claims in pQ against the original an cryptosystem of [21 0] • 

(1) It is broken in high loss channels by a beamsplitter attack (Attack I) and in 3 dB loss by 
a quantum search (Attack II) when the attacker knows a sufficiently long plaintext for 
Attack I and infinitely long plaintext for Attack II. The lack of security is taken in the 
information-theoretic sense that the seed key K could be uniquely determined. 

(2) If the output of an an Key Generation (ary-KG) system is directly used as the key in a 
"one-time pad" cipher, then a known-plaintext attack on that cipher would allow one to 
launch the above known-plaintext attacks on an-KG. 

Our detailed response has been given in this paper, which describes the proper framework 
for discussing these attacks and shows that the arguments in |J fail at many levels. A brief 
summary of our response follows: 

For direct encryption, Attack I requires either loss that is exponentially large in the key 
length or knowledge of an exponentially long sequence of plaintext, which are both unrealistic. 
Attack II, by requiring n to be infinite, is not applicable as the original arj is designed to run 
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for a finite n. That attack also contains gaps in the reasoning for making even a limiting 
insecurity statement. While it is claimed that these attacks work when just the statistics 
of the plaintext is known, it is not described how it would even proceed, not to mention its 
quantitative performance. Also, the attacks, even if successful, do not undermine our claims 
in [2] of exponential assisted brute-force search complexity under known-plaintext attacks. 

The attacks on at] as a key-generation system are founded on a key-generation protocol 
created by Lo and Ko, since no key-generation system was detailed in [2| ■ Their key-generation 
protocol omits the crucial step of privacy amplification before the generated key is used in 
an encryption system. In addition, the attacks are not relevant for the security of arj with 
the parameters of [2] since, for information-theoretic security of the key studied in pQ, the 
heterodyne attack described in |3] and this paper and not recognized in £Q prevents the 
original arj from generating fresh keys due to the Shannon limit. 

Perhaps more significantly, we have described various security features of arj that appear 
to be widely misunderstood, partly because little is known on the corresponding classical 
or standard cryptosystems. We hope this paper explains our new approach sufficiently to 
dispel misunderstandings, and at the same time highlights many important considerations on 
quantum cryptography in action. 
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Appendix A Security Against Known-Plaintext Attack 

In this appendix, we provide a brief quantitative discussion of known-plaintext attacks on 
random and nonrandom ciphers that is not available in the literature. For nonrandom ci- 
phers, we have the following 

Propositon A 

If a nonrandom cipher has nondegeneracy distance rid, then it is broken by a known-plaintext 
attack with data length n = rid- n = rid is also the smallest n for which the cipher is broken 
with probability 1. 

Proof: For any three joint random vectors X n , Y n , K , we have the identity 

H(Y n \X n ) + H(K\X n Y n ) = H(K\X n ) + H(Y n \KX n ). (25) 

For a nonrandom cipher, H(Y n \KX n ) = 0. In general, H{K\X n ) < H(K). Thus, H(K\X n Y n ) = 
at any n satisfying Eq. I|1(J|) or Eq. Ijllfl and vice versa. From its definition, rid is thus the 
smallest data length at which the key is found for any given x n . 
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A similar result clearly holds for chosen plaintext attacks. Note that if we consider the 
equation 



then under 0, a random cipher is broken by a known-plaintext attack if H(X n \Y n ) satisfies 
the Shannon limit Q with equality. However, if one is satisfied with using entropies as 
quantitative measures of security, one may have a situation where 



under the constraint (|26l) where < Ai, A2 < 1 and Ai + A2 < 1. i|27l29fl ma Y still provide 
satisfactory levels of security if \K\ is long enough, and if Eve's information on the data 
bounded by \\H(K) does not help Eve to reduce her uncertainty on the rest of the data 
below whatever designed level (We cannot enter into a detailed discussion, as one problem of 
using entropies as quantitative measures of security shows up here). While we have not given 
any specific random cipher with such characteristics proven, it has not been ruled out either. 
On the other hand, if redundant key use or degeneracy is avoided for nonrandom ciphers, 
then Proposition A applies. A detailed development will be given elsewhere. 



H(X n \Y n ) + H(K\X n Y n ) = H(K\Y n ) + H{X n \KY n ), 



(26) 



m{H{X n \Y n )=X 1 H(K), 

n 

inf H(K\X n Y n ) = X 2 H(K), 

n 

inf H(K\Y n ) = (\ 1 + X 2 )H(K) 1 



(27) 
(28) 
(29) 



